#!/usr/bin/python3
# Authors:
#   Petr Viktorin <pviktori@redhat.com>
#   John Dennis <jdennis@redhat.com>
#   Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Test the managed permission ACIs against a known-good ACI list
# to ensure that changes aren't made lightly.
# Can either regenerate ACI.txt, or validate against it.

from __future__ import print_function

import sys
import difflib
from argparse import ArgumentParser

from ipalib import api
from ipapython.dn import DN
from ipapython.ipaldap import LDAPClient


def parse_options():
    parser = ArgumentParser()
    parser.add_argument('--validate', dest='validate', action='store_true',
        default=False, help='Validate the API vs the stored API')
    parser.add_argument('filename', nargs='?', default='ACI.txt',
        help='File to create or validate, default: ACI.txt')

    options = parser.parse_args()
    return options


def generate_aci_lines(api):
    """Yields ACI lines as they appear in ACI.txt, with trailing newline"""
    update_plugin = api.Updater['update_managed_permissions']
    perm_plugin = api.Object['permission']
    fake_ldap = LDAPClient(None, force_schema_updates=False, no_schema=True)
    for name, template, obj in update_plugin.get_templates():
        dn = perm_plugin.get_dn(name)
        entry = fake_ldap.make_entry(dn)
        update_plugin.update_entry(
            obj=obj,
            entry=entry,
            template=template,
            anonymous_read_aci=None,
            is_new=True,
        )
        aci = perm_plugin.make_aci(entry)
        yield 'dn: %s\n' % entry.single_value['ipapermlocation']
        yield f'aci: {aci}\n'

        check_member_attrs(name, template)


def check_member_attrs(name, template):
    """Check that member* attrs are always present together for read

    ldap2._process_memberofindirect reads all these attributes together;
    if the user doesn't have rights to one of them, the entire entry is
    left out and memberofindirect processing returns wrong a result.
    So we need all of them be readable.
    """
    checked_attrs = ['member', 'memberuser', 'memberhost']
    perm_attrs = template.get('ipapermdefaultattr', ())
    flags = [(a in perm_attrs) for a in checked_attrs]
    if 'read' in template['ipapermright'] and any(flags) and not all(flags):
        raise AssertionError("'%s' includes some  but not all of %s" %
                             (name, checked_attrs))


def main(options):
    api.bootstrap(
        in_server=True,
        in_tree=True,
        debug=False,
        verbose=0,
        validate_api=True,
        enable_ra=True,
        mode='developer',
        plugins_on_demand=False,
        basedn=DN('dc=ipa,dc=example'),
        realm='IPA.EXAMPLE',
        domain="example.com",
    )

    from ipaserver.install.plugins import update_managed_permissions
    api.add_module(update_managed_permissions)

    api.finalize()

    output_lines = list(generate_aci_lines(api))

    if options.validate:
        with open(options.filename) as file:
            file_lines = file.readlines()
        if file_lines != output_lines:
            diff = list(difflib.unified_diff(
                file_lines,
                output_lines,
                fromfile='existing %s' % options.filename,
                tofile='new result',
            ))
            for line in diff:
                print(line, end=' ')
            print(file=sys.stderr)
            print('Managed permission ACI validation failed.', file=sys.stderr)
            print('Re-check permission changes and run `makeaci`.', file=sys.stderr)
            sys.exit('%s validation failed' % options.filename)
    else:
        with open(options.filename, 'w') as file:
            file.writelines(output_lines)


if __name__ == '__main__':
    options = parse_options()
    main(options)
